Malicious PDF — malware analysis report

Static analysis result for SHA-256 0474846ff233b765…

MALICIOUS

PDF

77.3 KB Created: 2020-08-30 17:28:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d295aa1c0bd9e4466b1cf04f4034be2 SHA-1: 3c13e95cea770f75e8df3f61c56d1309ac6dec79 SHA-256: 0474846ff233b76507caa5a5e1013882c65989e71f847391159ee16d3070dcb6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link disguised as a search result for 'Sony universal remote codes rm vz320'. This link, however, redirects to the malicious domain 'ttraff.ru'. The presence of a large number of external PDF links, many pointing to Shopify, suggests a link farm or SEO manipulation tactic. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=sony+universal+remote+codes+rm+vz320
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.fontrix.comhttp://www.nhncorp.com
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0429/2925/8649/files/professor_messer_a_study_guide.pdf
    • https://cdn.shopify.com/s/files/1/0462/0894/2233/files/basic_astronomy_books_free.pdf
    • https://cdn.shopify.com/s/files/1/0434/9660/3814/files/torarukubuviju.pdf
    • https://cdn.shopify.com/s/files/1/0428/2672/7580/files/brche_subtrahieren_bungen.pdf
    • https://cdn.shopify.com/s/files/1/0431/9579/3557/files/bless_the_lord_by_matt_redman.pdf
    • https://cdn.shopify.com/s/files/1/0434/0881/8333/files/wubilosozitikaladibarenik.pdf
    • https://static.usrfiles.com/ugd/8de238_36e557c1d47a4a4ab60962480165c02d.pdf
    • https://static.usrfiles.com/ugd/2e4eb4_25c097dca04e447787efcae038fef8b0.pdf
    • https://cdn.shopify.com/s/files/1/0429/7854/1722/files/zelelubakiwagokunuwude.pdf
    • https://cdn.shopify.com/s/files/1/0431/1816/6167/files/43227481075.pdf
    • https://cdn.shopify.com/s/files/1/0434/7042/2180/files/fepokaxopekejukuduxibuva.pdf
    • https://cdn.shopify.com/s/files/1/0432/4425/7442/files/rapakadefamateruzavudilub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bdcc.bin
867753e3f28195aa5df41cc8ccdcc8edc76ecdaef18b16c481333269a14ab31d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBDCC 5720 bytes
font_01_sfnt_off0000d124.bin
129c3f9b5e69fc9901f078b23959c7b0363d1c1fa2d87c754b2ca253535b3760		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD124 2260 bytes
font_02_sfnt_off0000dae0.bin
7d54bd01beba36f125bbcaf78ce55b596830c4101b47d325f2667791cdf1e778		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAE0 15536 bytes
font_03_sfnt_off000109f0.bin
dd3e23f95b3f880e17d08314d4014c1b1ed4e7393a104c3f024da274654b2fc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109F0 3832 bytes
font_04_sfnt_off00011791.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11791 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.